Control-system designers say newer version could have prevented LAN crash

If the USS Yorktown had been running the most recent version of an engineering control
system, the Smart Ship probably would not have suffered a LAN failure that left it dead in
the water for three hours last year, according to the system’s designer.


An early version of the Standard Monitoring and Control System (SMCS), developed by
Canadian Aviation Electronics (CAE) Inc. of Toronto, is running aboard the Yorktown Smart
Ship and the Navy’s MHC-51 Osprey mine-hunting ships. But newer versions are planned
or running in foreign navies, including those of Canada, Germany, Israel, Korea, the
Netherlands and the United Kingdom.


The newer versions would prevent a database overload if someone entered a zero in a
data field—the action that triggered the Yorktown’s LAN crash Sept. 21, 1997,
CAE officials said.


“The Yorktown’s SMCS system is obsolete by CAE and foreign navy
standards,” said David Schreder, an engineer with CAE Electronics Inc., a Leesburg,
Va., division of the Canadian company.


CAE in October 1996 installed SMCS and the company’s Damage Control System (DCS)
aboard the Yorktown. SMCS runs on 27 dual 200-MHz Pentium Pro miniature remote terminals.
The machinery control and monitoring software troubleshoots the ship’s propulsion,
auxiliary, fuel and electrical systems.


CAE initially provided the Yorktown with SMCS and DCS hardware and software. But the
company also helped install, integrate and test other Smart Ship systems, including the
Integrated Bridge System from Sperry Marine Inc. of Charlottesville, Va., the Integrated
Condition Assessment System from IDAX Inc. of Norfolk, Va., the Hydra wireless
communications system from Ericsson Inc. of Stockholm, Sweden, and a Navy-designed
asynchronous transfer mode LAN.


Typically, the company would spend about three years on such a project, Schreder said.
But CAE completed the SMCS retrofit in just eight months to meet the Yorktown’s Smart
Ship deployment schedule.


“We knew there were some risks in the engineering development model propulsion
control system installed under a rapid prototyping development effort,” said Cmdr.
Richard Rushton. He was the Yorktown’s commanding officer from the beginning of the
Smart Ship project in October 1995 through the end of the assessment period in June 1997.


“The data field safeguards found in production-level systems were not installed in
the Yorktown, by intention, until the complete wiring-out was accomplished,” he said.


The Yorktown’s LAN failure occurred when a petty officer tried to manually
calibrate a fuel valve by entering a zero in an SMCS data field. The resulting database
overload crashed the ship’s LAN.


“We were able to respond within two hours to a request for assistance from the
Yorktown and to provide a workaround that enabled the ship to reboot its entire control
system,” said Roger Baker, marketing manager for CAE Electronics Ltd. in Quebec.


“The Yorktown is unique because it was a proof-of-concept [ship] put out to sea
without formal testing and software certification, which our products normally go
through,” Baker said. “The software version on the Yorktown had certain features
we wouldn’t normally provide, including a maintenance terminal to allow the
ship’s crew to perform adjustments before final commissioning.”


CAE first developed SMCS in the early 1990s under a Navy contract. That work was the
basis for the system eventually installed on the Yorktown, Baker said. The initial SMCS
used Future Bus Plus, a custom embedded platform, but CAE migrated to Microsoft Windows
NT, he said.


SMCS has two system levels: the NT user interface and secondary monitoring and control
surveillance code, Baker said. SMCS’ control code, written in Ada, is basically the
same code created by CAE in 1993, he said.


“We migrated to Windows NT for the man-machine interface since that was a de facto
standard mandated by the U.S. Navy for the Smart Ship program,” Baker said.


NT played no role in the Yorktown’s LAN crash, Baker said.


Some outside observers, however, said they are not convinced NT is blameless.


“It still boggles the mind that any divide by zero error on NT would cause a
system to crash, let alone” 27 end-user terminals, said Gil Young, corporate network
engineer for a systems integration firm in Orlando, Fla. “I don’t care what
operating system, computer or application I’m using, I should be able to type in a
zero and expect the computer not to crash, especially if that zero is to represent a
closed valve.”


The Yorktown’s Smart Ship systems received an extensive March 1997 operational
assessment by the Navy’s Commander Operational Test and Evaluation Force, in which no
major deficiencies were noted and the system was recommended for installation on other
ships. Both the Navy Manpower Analysis Center and the Propulsion Examination Board
evaluated the Yorktown and concluded that the systems were ready for fleet operations.


Just two days before the September 1997 LAN crash aboard the Yorktown, Atlantic
Fleet’s Naval Surface Force forwarded a Smart Ship Project Assessment Report to the
Chief of Naval Operations stating that the Yorktown met all mission requirements. The
commander in chief of Atlantic Fleet approved the Smart Ship final report on Oct. 17,
never mentioning the LAN crash aboard the Yorktown only weeks earlier.


The Navy plans to install an SMCS-like system on all its CG-47 Class Cruisers, Baker
said. The service’s new class of amphibious assault ships, called the Landing
Platform Dock-17, will incorporate the Yorktown’s Smart Ship technology developed by
CAE, he said.  

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above